CAPEC201

External Entity Attack

Attack Pattern ID: 201 (Standard Attack Pattern Completeness: Stub)

Typical Severity: Medium

Status: Draft

Description

Summary

An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. For example, the following DTD would attempt to open the /dev/tty device:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>

Attack Prerequisites

The target must follow external entity references without validating the validity of the reference target.

Resources Required

The attacker must be able to trick the target into loading an XML document with crafted external entity reference.

Solutions and Mitigations

Configure the XML processor to only retrieve external entities from trusted sources.

Related Vulnerabilities

Vulnerability ID

Relationship Description

CVE-2008-0628

The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources.